🎓️ Vulnerable U | #030
Overcoming Security Obstructionism, Mark Cuban loses $870 to Crypto Scam, MGM still recovering from ransomware, and 38TB of Microsoft Data Leaked
Read Time: 7 minutes
30 weeks of Vulnerable U straight is a cool milestone! And we have a few thousand more of you this week than we did a few weeks ago. I’m glad to have you all aboard.
Back home in ATX, and just about jet lag cleared. Writing to you during a busy week, but in one where I did get to sneak out to one of my favorite music venues and see a favorite band of mine.
Me in my element
mattjay’s blog of the week. This week I look dive into why we’re our own worst enemy sometimes. Here’s a sneak peek:
In this episode:
A clue into last week’s MGM Casino hacks
All Defcon videos are uploaded and free on their YouTube channel
Mark Cuban on how he lost $870,000 to crypto scam — ‘They must have been watching’
38TB of data accidentally exposed by Microsoft AI researchers
Clorox warns of product shortages after cyberattack
Microsoft promises to act as Teams continues to get pummeled by phishing attacks
Cisco to Acquire Splunk for $28 Billion
GitHub Passkeys are generally available
T-Mobile users say other people’s account information is appearing in their app
🖊️ Something I wrote: How to find your personal/professional moat
🎧️ Something I heard: 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets - Truffle Security reports
🎤 Something I said: Vulnerable U YouTube channel running through everything for the week in around 10 minutes.
🔖 Something I read: No Mercy, No Malic making a case for Google being broken up by anti-trust laws
There are some updates on the Vegas casino hacks from last week. It has taken 10 days for MGM to get their systems back online which is incredibly slow in today’s environment. I think I have an idea why…
A clue into their troubles
This is going to be some black hat's origin story
— Ian Coldwater 📦💥 (@IanColdwater)
Sep 22, 2023
They also are reportedly losing $8.4 million per day that this incident goes on - Source
We talked a lot about the Vegas hacks last week, here is an update and a statement straight from the threat actors, ALPHV, themselves.
Here is a TL;DR on ALPHV’s statement:
The ALPHV group claims they infiltrated MGM's network and had access to their systems.
Contrary to reports, MGM shut down its systems in response to the group's presence, not due to a ransomware attack. The ransomware was deployed later when communication attempts failed.
MGM's hasty decisions, like shutting down their Okta Sync servers, resulted in them being locked out of their own systems while ALPHV maintained access.
The group claims to have launched ransomware attacks on over 100 of MGM's systems on September 11th.
ALPHV provided a link for MGM to download exfiltrated data, ensuring it was password-protected using hints from senior executive passwords.
The group hints at the possibility of possessing Personally Identifiable Information (PII) and may notify HaveIBeenPwned.com if no agreement with MGM is reached.
ALPHV criticizes MGM's insider trading behavior and accuses the company of greed and incompetence.
The group denies rumors about tampering with MGM's slot machines and challenges false claims made by media outlets.
ALPHV warns of further attacks if no agreement is reached with MGM.
The group emphasizes that any official updates will only be available on their blog and urges caution against believing unreliable sources.
This is why I prioritize hallway con in Vegas. Now I get to go through, not stand in line, and watch every talk that I missed. There are some real gems in here, what are some of your highlights from Vegas 2023?
I try to watch a few talks on topics I know virtually nothing about, and there are always a ton of those at DEFCON. Here’s a good one on spoofing emails from 2 million domains abusing Cloudflare and bypassing SPF & DMARC. (read more)
We’ve talked about stories similar to this in recent weeks. Crypto scams are aplenty, and this one ties in a fake app in the app store. We saw a fake Signal app last month, now a fake MetaMask.
Mark Cuban, the billionaire entrepreneur and owner of the Dallas Mavericks, recently lost approximately $870,000 to a crypto scam. The suspicious activities in his crypto wallet were initially detected by on-chain sleuths. Cuban mentioned that he had accessed MetaMask for the first time in months and suspects that he might have downloaded a compromised version of the application. (read more)
Old bugs are new again? Inadvertent public S3 buckets have plagued AWS forever. Now it’s Azure’s turn to climb the learning curve of pain.
Microsoft's AI research team inadvertently exposed 38 terabytes of private data while publishing open-source training data on GitHub. This exposed data included a backup of two employees' workstations, secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. The root cause was a misconfigured Azure feature called SAS tokens, which was intended to share specific files but ended up sharing the entire storage account.
What I also want to know is why employees’ workstations had all that info on there. And, are they training AI models on Teams messages? (read more)
Clorox, yup, the bleach one, recently experienced a significant cyberattack that has disrupted its operations and is expected to impact its first-quarter earnings negatively.
We don’t know a lot about this one yet. The SEC filing and a short public statement said they took a bunch of their systems offline due to a breach. We have no timeline, details of the initial access point, or attack type. But they are still using manual ordering operations, which leads me to believe they haven’t fully recovered. They’re warning of slower order flows as it is all manual. I hope we hear more about this one since the recovery seems prolonged. (read more)
Teams has been a giant phishing target lately, and Microsoft is now vowing to do something about it.
A notable threat group, Storm-0324, has been sending malicious links via Teams messages, leveraging tools like TeamsPhisher. This group is also linked to distributing the JSSLoader malware associated with the notorious ransomware gang FIN7.
They are rolling out “new but unspecified” phishing defenses for Teams. Who knows what that means, but I’m glad they’re taking some more responsibility beyond user education for such a large phishing attack surface. (read more)
It was cheaper just to buy them than renew their license for the year.
This one is a bit of a head-scratcher for everyone. Splunk seemed to be cash flow heavy, and I didn’t see an acquisition coming here if it didn’t happen a decade ago. Maybe there is some inside financial baseball we aren’t aware of. There are also a lot newer SIEMs hitting the market looking to outflank the expensive incumbents like Splunk, so they might have been making progress. (read more)
I believe Passkeys are a major player in the future of authentication. A fierce weapon in the fight against phishing. They just need more adoption. Well GitHub is an early adopter and I’m grateful for it. To register one or more passkeys on your account, head to your account security settings and click “Add a passkey.” (read more)
T-Mobile seems to have more data breaches than any of the telecoms. This time it might just be a glitch, but the end result is the same. PII ends up in the hands of someone who isn’t supposed to have it. (read more)
In related but unconfirmed news, there are reports on breach forums and vx-underground that T-Mobile’s employee data has been breached and leaked.
Hello, prepare yourself for another long post about the new T-Mobile breach and a mistake that we made.
Mistake: Employee PII was leaked, NOT customer PII. This is the 2nd time a T-Mobile breach has exposed T-Mobile employees.
We've had a large number of people asking how we… twitter.com/i/web/status/1…
— vx-underground (@vxunderground)
Sep 22, 2023
Saw a lot of vendors touting their 100% MITRE coverage today, which is just fluff nonsense. Thanks to Huntress team for cutting through the noise:
I’m in this comic, and I don’t like it
I’ll be on the Shared Security Podcast next week, we recorded a few days ago with Tom and had a great chat.
How'd I do this edition?
It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen